Thank you

We respond to all inquiries as quickly as possible – often the same day. If you need to speak with us right away please contact us by phone.

Loading...

Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers – is the security community’s go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

In our previous blog we highlighted how a group of scammers were targeting financial software customers by spamming out Microsoft Sharepoint URLs that lead the target to fake invoices infected with malware. This time we observed the same group involved in another widespread campaign, spamming out similar Microsoft Sharepoint URLs that link to fake Australian power and telco bills infected with malware.

Fake Energy Australia scam

EnergyAustralia formerly known as TRUenergy is an electricity generation and retail private company in Australia. On 18th September, 2017, we witnessed a rise in phishing messages distributing spoofed EnergyAustralia Electricity bills.

Spam Message

The spam/phishing message appears as a fake EnergyAustralia power bill as shown in Figure 1 and 2. Scammers have copied legit email bill templates to lure victims into believing the authenticity of their phished messages. Here it's important to note that these messages are sent from a domain "energybrandlab.com" that is different from the official EnergyAustralia domain "energyaustralia.com.au". Further analysis of the domain "energybrandlab.com" revealed that it was created on 17th September, 2017 and registered by the same group of scammers we pointed out in our previous blog. The registrant information for this domain is shown here:

Figure 1: Fake power bill

Figure 2: Fake power bill with different amount

The legit-looking message is designed to lure the user to click on the link to view his power bill. Clicking on this link points the web browser to the URL:

Browsing to this URL downloads a zip file ("EnergyAustralia Electricity bill.zip") to the system as shown in Figure 3. The 302 redirect seems to be a new evasive tactic used by the scammers. In previous campaigns they directly pointed to the SharePoint URL hosting the malicious script.

Unzipping the archive extracts to a JavaScript file "EnergyAustralia Electricity bill.js" (see Figure 5). Looking at the JavaSscript file it appears to be highly obfuscated and acts as a downloader and executor (see Figure 6).

Malware Analysis:

The JScript contains obfuscated strings which can be easily de-obfuscated with a one-liner Python code (see Figure 7):

Sample Obfuscated Strings:

DeObfuscation:

Figure 7: Code for De-obfuscation

This JScript is basically a Trojan downloader and a launcher. It downloads two files, the first file is an EXE and the second is a PDF. The PDF is a fake Bill Invoice of Energy Australia which is displayed to trick the user while the binary (EXE) gets executed in the background.

Here's a screenshot of the fake Energy Australia Bill invoice that is presented to the unaware victim (see Figure 8)

Figure 8: Fake Energy Australia invoice shown to users

The executable was found to be a variant of a notorious banking Trojan known as ISFB A.K.A Ursnif/Gozi whose code was leaked in 2010. Upon execution, it creates a new process of svchost.exe and injects its code to that process.

The malware avoids process injection if its filename is "sample.exe", "mlwr_smpl.exe", or "artifact.exe". It also avoids running if any of the following Windows username are found:

TEQUILABOOMBOOM

Wilbert

admin

SystemIT

KLONE_X64-PC

John Doe

BEA-CHI

John

It collects system information and send it to its command and control at 178.33.188.154:443

This malware is designed to hook browser process and monitor browser activity. In addition, it can download additional plugins such as keylogger, email and FTP grabber, screen grabber and a downloader to install new malware.

Conclusion

Scammers are spamming out counterfeit bills impersonating Australian telco and power companies in an attempt to spread malware. These bills are infested with malicious links to banking trojans. Scammers are abusing the Microsoft SharePoint service to host their malware. The spam emails are sent out using newly registered domains owned by the same group reported earlier. Hiding malware behind links to reputable online services is being used as a means to evade detection by the spam gateways. A legit-looking decoy PDF bill is presented to the oblivious victims once they are infected to avoid suspicion.